CVE-2025-29924
📋 TL;DR
XWiki Platform subwikis with 'Prevent unregistered users to view pages' or similar privacy settings are vulnerable to unauthorized access through REST API calls. This allows unauthenticated attackers to bypass access controls and view private content. Only affects subwikis using specific right options, not the main wiki.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers access sensitive private information, documents, or user data from protected subwikis, leading to data breach and privacy violations.
Likely Case
Unauthorized users view restricted content in subwikis, potentially exposing internal documentation, user information, or confidential data.
If Mitigated
With proper network segmentation and API access controls, impact limited to specific subwiki content rather than entire platform.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill - simply accessing REST API endpoints without credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.10.14, 16.4.6, or 16.10.0RC1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gq32-758c-3wm3
Restart Required: No
Instructions:
1. Identify XWiki version. 2. Upgrade to 15.10.14, 16.4.6, or 16.10.0RC1 based on your current version track. 3. Verify patch application by testing REST API access without credentials.
🔧 Temporary Workarounds
Disable vulnerable subwiki privacy settings
allTemporarily disable 'Prevent unregistered users to view pages' and similar options on affected subwikis
Restrict REST API access
allImplement network-level restrictions or web application firewall rules to block unauthenticated REST API requests
🧯 If You Can't Patch
- Disable subwiki functionality entirely until patching possible
- Implement strict network segmentation to isolate XWiki instance from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Enable 'Prevent unregistered users to view pages' on a subwiki, then attempt to access any page via REST API without credentials. If content is accessible, system is vulnerable.Check Version:
Check XWiki administration interface or version file for current version numberVerify Fix Applied:
After patching, repeat the vulnerability test - unauthenticated REST API requests to protected subwiki pages should be denied.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated REST API requests to subwiki endpoints returning 200 OK status
- Access logs showing successful GET requests to /rest/ endpoints without authentication
Network Indicators:
- Unusual volume of REST API requests from unauthenticated sources
- HTTP traffic to /rest/ paths without authentication headers
SIEM Query:
source="xwiki" AND (uri_path="/rest/*" OR uri_path="/xwiki/rest/*") AND http_status=200 AND NOT (auth_token EXISTS OR cookie EXISTS)